The default bug view has changed. See this FAQ.
Bug 657201 (CVE-2011-2368)

WebGL crash [@createProgram/@gldCopyTexSubImage]

RESOLVED FIXED in Firefox 5

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED FIXED
6 years ago
9 months ago

People

(Reporter: posidron, Assigned: bjacob)

Tracking

(Blocks: 1 bug)

Trunk
mozilla6
x86_64
Mac OS X
Points:
---

Firefox Tracking Flags

(firefox5+ fixed, status2.0 wanted, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical?])

Attachments

(5 attachments)

(Reporter)

Description

6 years ago
Created attachment 532499 [details]
testcase

Sometimes it crashes in createProgram, sometimes in gldCopyTexSubImage.

The bug is currently only reproducible against:

ProductName:	Mac OS X
ProductVersion:	10.6.7
BuildVersion:	10J869
OpenGL renderer string: ATI Radeon HD 6750M OpenGL Engine
OpenGL version string: 2.1 ATI-1.6.32

I have marked this as a security issue because I get some write violations at different places.
(Reporter)

Comment 1

6 years ago
Created attachment 532500 [details]
callstack1-read-0
(Reporter)

Comment 2

6 years ago
Created attachment 532501 [details]
callstack2-write-0
(Reporter)

Comment 3

6 years ago
Created attachment 532502 [details]
callstack3-write-value.txt
(Reporter)

Updated

6 years ago
Summary: WebGL crash [@gldCopyTexSubImage] → WebGL crash [@createProgram/@gldCopyTexSubImage]
(Assignee)

Comment 4

6 years ago
Oh oh, really interesting! All 3 crashes have in common to be happening inside of glValidateProgram(). In bug 593867, we already decided to avoid calling glValidateProgram on Macs with NVIDIA cards. Now you're getting problems with a ATI card --> let's completely avoid glValidateProgram() which means that it wasn't NVIDIA specific.
(Assignee)

Comment 5

6 years ago
Chris, I had filed Apple bug 9129482, but it got closed as "missing information". It seems that this bug could use some pushing by an Apple insider ;-)
(Assignee)

Comment 6

6 years ago
Created attachment 532643 [details] [diff] [review]
really disable validateProgram() on Mac
Attachment #532643 - Flags: review?(christoph.diehl)
(Assignee)

Comment 7

6 years ago
Note: it's also very interesting to have this on Mac OS 10.6.7. My Apple bug got closed as I was unable to confirm whether it still happened on 10.6.7.
(Reporter)

Comment 8

6 years ago
Fixed - thanks Benoit.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

6 years ago
We should keep this bug open until it's actually fixed in the tree! Please review my patch or tell me if you would like me to find someone else.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 10

6 years ago
Oh. Sorry for closing it to early.

I already reviewed your patch, applied it to my build and checked it against the provided testcase. ;)
Welcome to Mozilla bureaucracy: if you approve my patch, please click 'Details', then on the 'review' line, select '+'.

Then we will land it, paste here a link to the changeset, and finally close this bug.
(Reporter)

Updated

6 years ago
Attachment #532643 - Flags: review?(christoph.diehl) → review+
(Assignee)

Updated

6 years ago
Attachment #532643 - Flags: approval-mozilla-aurora?
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
status2.0: --- → wanted
status-firefox5: --- → affected
tracking-firefox5: --- → +
tracking-firefox6: --- → ?
Whiteboard: [sg:critical?]
Attachment #532643 - Flags: approval-mozilla-beta?
(Reporter)

Updated

6 years ago
Blocks: 658170

Updated

6 years ago
Attachment #532643 - Flags: approval-mozilla-beta?
Attachment #532643 - Flags: approval-mozilla-beta+
Attachment #532643 - Flags: approval-mozilla-aurora?

Comment 12

6 years ago
Comment on attachment 532643 [details] [diff] [review]
really disable validateProgram() on Mac

Please land this change on both Aurora and Beta. (In the future, getting changes in during Aurora will save you this extra step.)
Attachment #532643 - Flags: approval-mozilla-aurora+
mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/9ca849387799

I didn't realize that this was now sg-critical, sorry. Will land on aurora and beta ASAP.
(Assignee)

Updated

6 years ago
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
Assignee: nobody → bjacob
Pushed to Beta:
http://hg.mozilla.org/releases/mozilla-beta/rev/eba2dce26189

The fix was already on Aurora, as the Central->Aurora merge happened since I landed on Central.

Updated

6 years ago
status-firefox5: affected → fixed
tracking-firefox6: ? → ---

Updated

6 years ago
Attachment #532643 - Flags: approval-mozilla-aurora+
Alias: CVE-2011-2368
Group: core-security

Updated

6 years ago
Target Milestone: --- → mozilla6

Comment 15

9 months ago
The workaround that was added in this issue is about 5 years old now. Marked down bug 1284425 to discuss if the workaround is relevant any more on recent OS X versions.
You need to log in before you can comment on or make changes to this bug.